Fix checking password from /etc/passwd and /etc/shadow
Krzysztof Oledzki
olemx at ans.pl
Thu Sep 25 04:43:25 EST 2003
On Wed, 24 Sep 2003, Ben Lindstrom wrote:
>
>
> On Wed, 24 Sep 2003, Krzysztof Oledzki wrote:
>
> >
> >
> > On Wed, 24 Sep 2003, Michael Steffens wrote:
> >
> > > Krzysztof Oledzki wrote:
> > > > Hello,
> > > >
> > > > This patch fix order of checking password in systems that contains
> > > > /etc/shadow file (Linux for example). The order is exactly like in
> > > > linux-shadow-password package. First is checked /etc/passwd but if
> > > > password field contains "x" then password is read from /etc/shadow
> > > > instead.
> > >
> > > What is wrong with the current approach of first checking /etc/shadow
> > > using getspnam, falling back to /etc/passwd if the first didn't return
> > > anything?
> > >
> > > Reversing that order and making the decision depend on a non-zero
> > > value returned from /etc/passwd ("x", "*", whatever?) looks like
> > > making it more complicated to me.
> >
> > If /etc/passwd contains:
> >
> > aqq::1001:100:Aqq:/home/aqq:/bin/bash
> >
> > and /etc/shadow:
> > aqq:!:12319:0:99999:7:::
> >
> > Then login allows to log this user with empty password but openssh not.
> >
>
> To me this is a bug in the Linux code. /etc/shadow should take priority
> over /etc/password.
OK. This "bug" looks like this:
#ifdef SHADOWPWD
spwd = NULL;
if (pwd
&& strcmp (pwd->pw_passwd,
SHADOW_PASSWD_STRING) == 0) {
spwd = getspnam (username);
if (spwd)
pwent.pw_passwd = spwd->sp_pwdp;
else
SYSLOG ((LOG_WARN,
"no shadow password for `%s'%s",
username, fromhost));
}
#endif /* SHADOWPWD */
> ALWAYS.
If you say so... ;-)
Best Regards,
Krzysztof Olędzki
More information about the openssh-unix-dev
mailing list